<HTML
><HEAD
><TITLE
>Access control</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
"><LINK
REL="HOME"
TITLE="The Linux System Administrator's Guide"
HREF="index.html"><LINK
REL="UP"
TITLE="Logging In And Out"
HREF="log-in-and-out.html"><LINK
REL="PREVIOUS"
TITLE="X and xdm"
HREF="x2288.html"><LINK
REL="NEXT"
TITLE="Shell startup"
HREF="x2308.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Linux System Administrator's Guide: Version 0.7</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x2288.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 10. Logging In And Out</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x2308.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2291"
>10.5. Access control</A
></H1
><P
> The user database is traditionally contained in the
	<TT
CLASS="FILENAME"
>/etc/passwd</TT
> file.	Some systems use
	<I
CLASS="GLOSSTERM"
>shadow passwords</I
>, and have moved the
	passwords to <B
CLASS="COMMAND"
>/etc/shadow</B
>.  Sites with many
	computers that share the accounts use NIS or some other method
	to store the user database; they might also automatically copy
	the database from one central location to all other computers.
	</P
><P
> The user database contains not only the passwords, but
	also some additional information about the users, such as their
	real names, home directories, and login shells.  This other
	information needs to be public, so that anyone can read it.
	Therefore the password is stored encrypted.  This does have
	the drawback that anyone with access to the encrypted password
	can use various cryptographic methods to guess it, without
	trying to actually log into the computer.  Shadow passwords try
	to avoid this by moving the password into another file, which
	only root can read (the password is still stored encrypted).
	However, installing shadow passwords later onto a system that
	did not support them can be difficult.	</P
><P
> With or without passwords, it is important to make
	sure that all passwords in a system are good, i.e., not easily
	guessed.  The <B
CLASS="COMMAND"
>crack</B
> program can be used
	to crack passwords; any password it can find is by definition
	not a good one.  While <B
CLASS="COMMAND"
>crack</B
> can be run
	by intruders, it can also be run by the system administrator
	to avoid bad passwords.  Good passwords can also be enforced
	by the <B
CLASS="COMMAND"
>passwd</B
> program; this is in fact more
	effective in CPU cycles, since cracking passwords requires quite
	a lot of computation.  </P
><P
> The user group database is kept in
	<TT
CLASS="FILENAME"
>/etc/group</TT
>; for systems with shadow
	passwords, there can be a <TT
CLASS="FILENAME"
>/etc/shadow.group</TT
>.
	</P
><P
> root usually can't login via most terminals
	or the network, only via terminals listed in the
	<TT
CLASS="FILENAME"
>/etc/securetty</TT
> file.  This makes it necessary
	to get physical access to one of these terminals.  It is, however,
	possible to log in via any terminal as any other user, and use
	the <B
CLASS="COMMAND"
>su</B
> command to become root.  </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x2288.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x2308.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>X and xdm</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="log-in-and-out.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Shell startup</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>